ato logo
Search Suggestion:

How to test controls

Last updated 24 August 2022

We have included the following guidance to help you understand the type and frequency of control testing that can be applied to assess a tax governance framework. When we conduct a review of tax governance processes we generally adopt the walkthrough approach to determine if your existing controls and assurance processes are adequate.

Given the unique and specialised nature of the tax reporting function, tax-related controls may not always be independently tested under existing internal or external audit schedules. Consideration should be given to an independent review of key tax controls to evaluate their effectiveness, even if they are only tested on a rotational basis.

You may rely on existing processes to test your overall control framework and tax function (preparing tax/excise/BAS return and other tax matters). However, you should be able to demonstrate that your assurance processes are sufficient to evaluate the effectiveness of tax-related key controls. For example, there may be testing of tax-related controls for entities that have an existing financial reporting control framework tested as part of the annual external audit of the financial reports.

Ultimately we consider a large complex organisation should be able to demonstrate that:

  • all key controls related to the tax function have been clearly identified, including but not limited to tax sign-off of major transactions, system changes and the management of the tax issues register
  • testing frequencies of these controls are known by the tax function
  • testing results are reported to the tax function
  • any control breakdowns and remediation actions are communicated to the tax function.

Methods used to test controls

There are two components to testing controls: design effectiveness and operational effectiveness.

The requirements and methods we outline below can be used to test and evaluate your tax control framework. This information, although consistent with the external audit approach to evaluate internal control frameworks, should be considered general guidance only, serving a range of people conducting controls testing, including internal auditors, in-house operational staff and management staff.

Your tax control framework is made up of individual control activities designed to prevent or detect the tax risks that your organisation has identified.

Testing control design effectiveness

The most common method is to perform a walkthrough of the control processes, which include the following actions:

  • conducting an inquiry into appropriate personnel
  • observing the company’s operations
  • inspecting relevant documentation and addressing the following objectives    
    • firstly understanding the flow of transactions related to the relevant tax/excise/BAS return and WET product classification line item, including how these transactions are initiated, authorised, processed, recorded and treated for tax purposes
    • secondly identifying the points within the process at which a potential error is likely to occur
    • thirdly identifying the controls that you have implemented to address these potential errors.
     

Upon completing a walkthrough, the end-to-end flow of transactions or sub-processes should be mapped out or narrated from beginning to end, with clear markers indicating the points of potential errors (second objective) and controls (third objective).

In some cases, particularly in lower risk or less complex manual or automated controls, a walkthrough would provide sufficient evidence of operating effectiveness. The specific procedures performed as part of the walkthrough and the results of those procedures should be clearly documented and justified.

Example of a walkthrough scenario for a tax process

In the table below we outline an example of how you may document a tax function process to provide a clear view of your key control points. The walkthrough example below documents typical processes and controls for preparing a corporate tax return.

For entities with consolidated tax groups, we acknowledge that your tax return preparation processes and controls may be slightly different.

Walkthrough example-preparing a corporate income tax return
Walkthrough example-preparing a corporate income tax return

Tax return process narration

Key Control(s)?

Manual or automated controls?

Frequency of control?

How is the operation of the control evidenced?

Review closing balance and carry forward items from previous year's tax return

Control A

Manual

Annual

Sign-off of year end checklist by tax team member and review by tax team manager.

Review various factors that would impact the current year tax return (including new tax laws, changes in accounting standards, internal accounting system upgrades, etc.)

Control B

Manual

Annual

Sign-off of year end checklist by tax team member and review by tax team manager.

Extract general ledgers from finance system for the relevant period (12 months ending 30 June 2014) by team member

Not a key control

N/A

N/A

N/A

Check that the extractions of general ledgers include all relevant legal entities under Parent Co at month end (reconcile to Parent Co group structure)

Control C

Manual

Monthly

Sign-off of month end checklist by team member and review by team manager.

Upload general ledgers to tax calculation software

Not a key control

N/A

N/A

N/A

Tax calculation software is proprietary software that has been programmed to map general ledger to pre-defined tax classification categories

Not a key control

N/A

N/A

N/A

Working papers are prepared for all manual adjustments

Not a key control

N/A

N/A

N/A

Manual adjustments are inputted into the tax calculation software by tax staff

Not a key control

N/A

N/A

N/A

Individual entity tax returns are reviewed by a second tax staff member via tax calculation software

Control D

Manual

Yearly (Income tax)

Sign-off of year end checklist by tax team member and review by tax team manager.

Third-level review (such as a senior manager) on the tax return and completes a tax calculation checklist

Control E

Manual

Yearly (income tax return)

Sign-off of year end checklist by tax team member and review by tax team senior manager.

Finalised individual entity tax returns are aggregated within tax calculation software

Not a key control

N/A

N/A

N/A

Reconciliation of accounting profit/loss to taxable income/loss to ensure completeness, accuracy and incorporate explanatory notes for all differences

Control F

Manual

Annual

Sign-off of year end checklist by tax team member and review by tax team manager.

Review of consolidation and elimination entries to ensure completeness and accuracy

Control G

Manual

Annual

Sign-off of year end checklist by team member and review by team manager.

Working papers are prepared for supporting schedules

Not a key control

N/A

N/A

N/A

Group tax return and schedules are reviewed and signed off by tax review team

Control H

Manual

Annual

Sign-off of year end checklist by tax team member and review by tax team senior manager.

Executive memorandum is prepared and tabled to a governing committee summarising the analysis on Parent Co’s tax position as per tax return

Control I

Manual

Annual

Tax manager submission to relevant board committee.

Final review and lodgment of tax return by company's head of tax

Control J

Manual

Annual

Head of tax sign off of tax return.

Copy of the tax return, schedules and associated paperwork is stored and filed centrally

Control K

Manual

Annual

Copies of tax return, schedules and associated paperwork is retrieved

The Tax return process described above has been represented diagrammatically below. The green circles indicate key controls as per column two in the table above:

The tax return process (described above) presented as a flowchart.

End of example

Example of a walkthrough scenario of the BAS preparation process

In the table below we outline an example of how you may document a BAS preparation process to provide a clear view of your key control points. The walkthrough example below documents typical processes and controls for preparing a BAS.

For entities with GST groups, we acknowledge that your BAS preparation processes and controls may be slightly different.

Walkthrough example-the BAS preparation process

BAS preparation process narration

Key Control(s)?

Manual or automated controls?

Frequency of control?

How is the operation of the control evidenced?

Perform month end closure and run relevant Batch reports from accounting systems

Control A

Automated

Monthly

Confirmation that month-end closure is completed.

Export to Excel or other systems as relevant

Not a key control

N/A

N/A

N/A

Review the extracted data/batch report to ensure that the accuracy and reasonableness of data

Control B

Manual

Monthly

Sign-off of BAS preparation checklist by tax team member and review by indirect tax manager/supervisor.

Process necessary manual adjustments/revisions to ensure correct GST classification/coding/treatment

Not a key control

N/A

N/A

N/A

Manual adjustments/working papers are reviewed and authorised

Control C

Manual

Monthly

Sign-off from BAS preparation checklist and review of manual adjustments by Indirect Tax Manager/supervisor

Lock period to ensure no changes are made to data for BAS preparation

Control D

Automatic/
Manual

Monthly

Sign-off of month end checklist by team member and review by team manager.

Run GST reports relevant for BAS preparation

Not a key Control

N/A

N/A

Monthly

Ensure GST reports reconcile with the key GST accounts in the general ledger

Control E

Manual

Monthly

Sign-off from BAS preparation checklist by team member and review by team manager.

Prepare BAS for each entity in the GST group and prepare consolidation as required

Not a key control

N/A

N/A

N/A

Review BAS preparation working papers and calculations and check label

Control F

Manual

Monthly

Sign-off from BAS preparation checklist by team member and review by team manager

Perform variance/movement analysis and review reasonableness of the prepared BAS

Control G

Manual

Monthly

Sign-off from BAS preparation checklist by team member and review by team manager

BAS is reviewed and signed off by a senior indirect tax staff or Senior Manager such as Finance Director

Control

H

Manual

Monthly

Sign-off of year end checklist by tax team member and review by tax team manager.

Finalised BAS is lodged electronically by due date

Control I

Manual

Monthly

Sign-off of year end checklist by tax team member and review by tax team manager.

Copy of the BAS, associated work papers and reports are stored and filed centrally

Control J

Manual

Monthly

Copies of BAS return, schedules and associated paperwork is retrieved

GST related general ledger account reconciliations are performed and reviewed on a monthly basis (post return submission)

Control K

Manual/
Automatic

Monthly

Copies of Reconciliations performed and sign-off from Tax Manager or senior indirect staff indicating review.

The BAS preparation process described above has been represented diagrammatically below. The green circles indicate control keys as per column two in the table above:

The BAS preparation process (described above) presented as a flowchart.

Example of a walkthrough scenario of the excise return preparation

For excise, the return preparation process can vary depending on the systems used and the process to determine the correct excise based on the products. Typical walkthrough should consider the following to identify the processes and related controls utilised as part of the preparation of excise return and the Out of Period Adjustment (OOPA)

  • What reports/extracts of data are utilised to generate the excise return?
  • What checks and reviews are undertaken to ensure the accuracy of the data?
  • What is the nature and type of manual adjustments made? Are they reviewed and approved?
  • Are material transactions reviewed? What thresholds are applied to determine the materiality of a transaction affecting the excise liability?
  • Are the working papers, documentation are required to be kept for supporting the excise return/OPPA?
  • Is the return/OPPA reviewed prior to lodgment?
  • What approval are required as part of lodgment of return and payment of the liability
  • What general ledger accounts relating to the excise liability are reconciled and reviewed?
  • How often is the account reconciliations performed?
  • How are reconciling items rectified/investigated and what the is approval process of write-offs

Having narrated and mapped out the relevant processes related to your tax functions, an assessment of the control design effectiveness can be undertaken.

The assessment of control design effectiveness should include:

  • whether the control, as designed, achieves the control objective (a control objective should clearly describe the specific risks or potential errors that the control aims to reduce or eliminate)
  • the timeliness of the control procedures
  • the rigour and precision at which the control is designed to operate
  • the appropriateness of assigned roles and responsibilities.

Conclusions on both effective and ineffective control designs should be clearly documented. Effective designs should be further tested to assess the operational effectiveness of controls through the period under review. Ineffective designs should be reported and replaced with better practice recommendations as part of a remediation plan.

If the design effectiveness of a control is determined to be inadequate, a new control should be designed. In this the case, consideration should be given to conducting a review to assess the impact on current and previously lodged returns.

Testing the operational effectiveness of a control

If the design effectiveness of a control is adequate and is expected to reduce the identified tax risk, the control should then be tested for operational effectiveness. This determines whether controls have operated effectively throughout the period under review. To determine control operational effectiveness, a combination of methods can be used, including:

  • re-performance provides the most evidence in determining operational effectiveness of a control.
  • examination/inspection tests provide the second-most amount of evidence.
  • observation provides the third-most amount of evidence.
  • inquiry provides the least amount of evidence (inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control).

Testing plan

Auditors and other assurance providers are guided by auditing standards to exercise their professional judgment in assessing the operational effectiveness of key controls. We advocate a similar approach be taken. The objective of a control testing plan is to identify the key controls that have a significant impact on tax risk and assess your existing level of assurance is operating effectively.

Many key tax controls will be subject to existing internal or external audit review schedules or a second level review within the tax or finance function. If a key tax control is reviewed independently and the review is considered robust enough to provide a reasonable level of assurance, the control may in effect be considered tested for operational effectiveness. Additionally, you may have evidence from previous control testing that may support a notion that your tax controls are effective and would continue to be so.

If no testing has taken place in relation to a key tax control you should map out the frequency and assumed population of control occurrences. To obtain a reasonable level of assurance, independent testing should then take place. Auditing standards do not specify set sample sizes to test within a population of control occurrences. The level and frequency of any control testing necessary for a reasonable level of assurance is determined by an appropriately skilled person, for example an internal auditor.

Example: Sample sizes for controls testing

An example of minimum sample sizes for controls testing is provided below

Example of minimum sample sizes for control testing

Frequency of control

Assumed population of control occurrences

Number of items to test for a reasonable level of assurance

Annual

1

1

Quarterly

4

3+

Monthly

12

5+

Ad hoc

Ad hoc

As appropriate

 

End of example

 

Example: Testing of control operational effectiveness

Key control: Reconciliation of document A to document B is completed and independently reviewed

Frequency: Monthly

Method of testing: Inquiry and inspection

Sample size: 5

Test: Randomly select a sample of 5 reconciliations performed between 1 July and 30 June and verify that they have been completed and reviewed independently. Note the control in the example below would not have been considered to be operating effectively (since sample 2 and 3 failed) – all 5 instances should have passed for it to be deemed to operate effectively.

Example: Testing of control operational effectiveness'
Example: Testing of control operational effectiveness'

Sample

Month

Test (Pass/Fail)

Comments

Reference

Sample #1

July

Pass

Sample was completed by Staff A and reviewed by Staff B.

Doc10001

Sample #2

September

Fail

Reconciliation was not completed for this week.

N/A

Sample #3

January

Fail

Sample was not independently reviewed. Preparer sign off only.

Doc10002

Sample #4

April

Pass

Sample was completed by Staff A and reviewed by Staff B.

Doc10003

Sample #5

June

Pass

Sample was completed by Staff A and reviewed by Staff B.

Doc10004

 

End of example

Assessing the effectiveness of the control framework

The extent to which an assessment of effectiveness can rely on the work of others will vary, depending on the level of competency of those performing the work.

The following list – in order of reliance from high at 1, to low at 4 – shows the typical relationship between the role of the person performing the procedures and the amount of evidence we may obtain from that work:

  1. external auditor testing
  2. internal audit/third party on behalf of management
  3. management testing
  4. management self-assessment.

When relying on the work of others, the competency of those undertaking controls testing should be assessed by obtaining and evaluating the following items:

  • educational level and professional experience
  • professional certification and continuing education
  • supervision and review of work performed
  • quality of working-paper documentation, reports, and recommendations.

When evaluating if a control is effective, you should consider the definitions in Auditing Standard ASA 265; Communicating Deficiencies in Internal Control to Those Charged with Governance and ManagementExternal Link (we have replaced 'financial report' with 'tax return/excise return/BAS').

A deficiency in internal control means either a control:

  • is designed, implemented or operated in such a way that it is unable to prevent, or detect, and correct misstatements in the tax return on a timely basis
  • necessary to prevent, or detect, and correct misstatements in the tax return/excise return/BAS on a timely basis is missing.

A significant deficiency in internal control means: a deficiency or combination of deficiencies in internal control that in the judgment of the external/internal* auditors or management (see note) is of sufficient importance to merit the attention of those charged with governance.

Note: Modified from original standard to reflect that controls attestation might be done by internal or external auditors or management (self-attestation).

Upon completing these tests, evidence collected should be retained and results clearly documented.

  • Exceptions and findings regarding both control design and operational effectiveness should be reported and tabled to a governing committee, such as a board or risk committee. Following up on recommendations or remediation should be carried out annually and evidence of board of directors/committee oversight should be recorded in the respective minutes.

Outsourced tax functions

Management of entities with outsourced tax functions should demonstrate in their controls framework the methods that enable directors to rely on information, or professional expert advice in accordance with Section 189 of the Corporations ActExternal Link – specifically, directors should understand the information or advice before making an independent assessment. The testing of controls for an entity should include the following that are linked to the preparation and submission of the tax, excise and the BAS return:

  • internal controls
  • checklists
  • source documentation
  • communication protocols.

Management should consider the content of this document when meeting with service providers. This will ensure new transactions are disclosed to service providers and new developments or tax risks are communicated to management and escalated appropriately.

QC82060